From e05a7337add6c5f61d5abc05bb69c8d0698aa3ef Mon Sep 17 00:00:00 2001 From: Jack Lloyd Date: Tue, 21 Aug 2018 15:43:34 -0400 Subject: Default disable support for TLS v1.0/v1.1 and all CBC and CCM suites --- doc/manual/tls.rst | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) (limited to 'doc') diff --git a/doc/manual/tls.rst b/doc/manual/tls.rst index ba1bee1b0..5e615af0f 100644 --- a/doc/manual/tls.rst +++ b/doc/manual/tls.rst @@ -822,16 +822,19 @@ policy settings from a file. Cipher names without an explicit mode refers to CBC+HMAC ciphersuites. - Default value: "ChaCha20Poly1305", "AES-256/GCM", "AES-128/GCM", - "AES-256/CCM", "AES-128/CCM", "AES-256", "AES-128" + Default value: "ChaCha20Poly1305", "AES-256/GCM", "AES-128/GCM" - Also allowed: "AES-256/CCM(8)", "AES-128/CCM(8)", + Also allowed: "AES-256", "AES-128", + "AES-256/CCM", "AES-128/CCM", "AES-256/CCM(8)", "AES-128/CCM(8)", "Camellia-256/GCM", "Camellia-128/GCM", "ARIA-256/GCM", "ARIA-128/GCM", "Camellia-256", "Camellia-128" Also allowed (though currently experimental): "AES-128/OCB(12)", "AES-256/OCB(12)" + In versions up to 2.8.0, the CBC and CCM ciphersuites "AES-256", + "AES-128", "AES-256/CCM" and "AES-128/CCM" were enabled by default. + Also allowed (although **not recommended**): "SEED", "3DES" .. note:: @@ -1051,6 +1054,20 @@ policy settings from a file. Default: 2048 bits +.. cpp:function:: bool allow_tls10() const + + Return true from here to allow TLS v1.0. Since 2.8.0, returns + ``false`` by default. + +.. cpp:function:: bool allow_tls11() const + + Return true from here to allow TLS v1.1. Since 2.8.0, returns + ``false`` by default. + +.. cpp:function:: bool allow_tls12() const + + Return true from here to allow TLS v1.2. Returns ``true`` by default. + .. cpp:function:: size_t minimum_rsa_bits() const Minimum accepted RSA key size. Default 2048 bits. -- cgit v1.2.3